In this sample, we check if a module has a base image address as 0x00000000 more than once. The default executable will be set to that number; some modules attempt to hide by erasing their information from the _MODULEINFO structure, thus, GetModuleInformation would return 0x00000000 for the base address of such a module; in the end, it works nicely for detecting some hidden modules. I also included a quick comment with an example for loading other information gathered from the structure into an allocated buffer, for making a more advanced whitelist, not based off the easily-spoofable module-name factor.

#include <windows.h>
#include <strsafe.h>
#include <Psapi.h>

#define WIN32_LEAN_AND_MEAN
#define VC_EXTRALEAN

#define CODEBEGIN		0x00401000
#define CODEEND			0x004019FE
#define modAllowedSize	11
const char modAllowedArray[][255] = {
	"ADVAPI32.DLL",
	"ntdll.dll",
	"RPCRT4.dll",
	"Secur32.dll",
	"PSAPI.DLL",
	"kernel32.dll",
	"USER32.dll",
	"GDI32.dll",
	"MSVCR90.dll",
	"IMM32.DLL",
	"Killing Bad Threads.exe"
};

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
  HMODULE modArray[1024];
  int modNumber;
  int modAllowedQ = 0;
  int noBaseAddress = 0;
  char modFileName[255];
  char modInfoTemp[255];
  _MODULEINFO modInfo;

  if( EnumProcessModules( GetCurrentProcess( ), modArray, sizeof( modArray ), ( LPDWORD ) &modNumber ) )
  {
    if( modNumber > sizeof( modArray ) )
      return( -1 );

	unsigned int i = 0;
    while( i < ( modNumber / sizeof( HMODULE ) ) )
    {
      int j = 0;
	  while( j < modAllowedSize )
      {
		GetModuleFileName( modArray[i], modFileName, 255 );
		char *ModuleName = strtok( modFileName, "\\" );
		char *ModuleTempName;
		char *ModuleLastName;
		do 
		{
			ModuleTempName = strtok( NULL, "\\" );
			if( ModuleTempName == NULL )
				break;
			ModuleName = ModuleTempName;
		} while( ModuleName != NULL );

        if( *modAllowedArray[j] == *ModuleName )
		{
			GetModuleInformation( GetCurrentProcess( ), GetModuleHandle( modAllowedArray[j] ), &modInfo, sizeof( modInfo ) );
			//sprintf( modInfoTemp, "%08x", modInfo.lpBaseOfDll );
			// If you plan to fingerprint modules, based off entrypoint
			// base address, or size of the image base, the above will
			// load that information into a buffer
			if( modInfo.lpBaseOfDll == 0 )
				noBaseAddress++;
			modAllowedQ++;
		}
        j++;
      }
      i++;
    }
	if( noBaseAddress != 1 )
	{
      MessageBox( 0, "Unknown module loaded to memory!", "Fatal error", MB_OK );
	  exit( -1 );
	}
    if( modAllowedQ < modAllowedSize )
	{
      MessageBox( 0, "Unknown module loaded to memory!", "Fatal error", MB_OK );
	  exit( -1 );
	}
  }

  MessageBox( 0, "Nothing evil detected.", "Success?", MB_OK );

  return( EXIT_SUCCESS );
}
Advertisements

I found this under an old collection files; it’s a cheat for god mode in IJJI Gunz, using AT&T inline ASM.

#include <windows.h>

BYTE gdmeCheck = 0;
BYTE tglCheck = 1;

DWORD WINAPI GetKey ( LPVOID lpParam );
DWORD WINAPI GdMde ( LPVOID lpParam );
DWORD WINAPI GetZChar ( );

BOOL APIENTRY DllMain ( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved )
{
  if( fdwReason == DLL_PROCESS_ATTACH )
  {
    CreateThread( NULL, 0, GetKey, 0, 0, NULL );
    CreateThread( NULL, 0, GdMde, 0, 0, NULL );
  }

  return( TRUE );
}

DWORD WINAPI GetKey ( LPVOID lpParam ) {
  while ( 1 ) {
   if( GetAsyncKeyState( 18 ) < 0 && GetAsyncKeyState( 71 ) < 0 )
   {
      gdmeCheck ^= 1;
      tglCheck ^= 1;
   }

   Sleep( 500 );
  }
  return( 0 );
}

DWORD WINAPI GdMde ( LPVOID lpParam ) {
 while( true ) {
   if( gdmeCheck != 0 ) {
     if( DWORD ZChar = GetZChar( ) != 0 )
       __asm__ (
        "movl %0, %%eax\n\t"
        "movl $0x461C3C00, %%ecx\n\t"
        "movl %%ecx, 0x418(%%eax)\n\t"
        "movl %%ecx, 0x41C(%%eax)\n\t"
        :"=r" (ZChar)
       );
       tglCheck = 1;
   }

   if( tglCheck != 0 )
   {
     if( DWORD ZChar = GetZChar( ) != 0 )
       __asm__ (
        "movl %0, %%eax\n\t"
        "movl $100, %%ecx\n\t"
        "movl %%ecx, 0x418(%%eax)\n\t"
        "movl %%ecx, 0x41C(%%eax)\n\t"
        :"=r" (ZChar)
       );
     tglCheck ^= 1;
   }

   Sleep( 50 );
 }
 return( 0 );
}


DWORD WINAPI GetZChar ( ) {
  DWORD ZChar = 0;
  __asm__ (
    "movl $0x49A380, %%eax\n\t"
    "movl 0x50(%%eax), %%ecx\n\t"
    "movl %%ecx, %0\n\t"
    :"=r" (ZChar)
  );
  return( ZChar );
}

Other than the HP offset, nothing’s changed, so feel free to update it 😉


I know it’s a terrible idea, but, somebody had to do it!

#include <tlhelp32.h>
#include <windows.h>

#define WIN32_LEAN_AND_MEAN
#define VC_EXTRALEAN

#define CODEBEGIN		0x00401000
#define CODEEND			0x004019FE
#define modAllowedSize	11
const char modAllowedArray[][255] = {
	"ADVAPI32.DLL",
	"ntdll.dll",
	"RPCRT4.dll",
	"Secur32.dll",
	"PSAPI.DLL",
	"kernel32.dll",
	"USER32.dll",
	"GDI32.dll",
	"MSVCR90.dll",
	"IMM32.DLL",
	"Killing Bad Threads.exe"
};


int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
  HMODULE modArray[1024];
  int modNumber;
  int modAllowedQ = 0;
  char modFileName[255];

  if( EnumProcessModules( GetCurrentProcess( ), modArray, sizeof( modArray ), ( LPDWORD ) &modNumber ) )
  {
    if( modNumber > sizeof( modArray ) )
      return( -1 );

	unsigned int i = 0;
    while( i < ( modNumber / sizeof( HMODULE ) ) )
    {
      int j = 0;
	  while( j < modAllowedSize )
      {
		GetModuleFileName( modArray[i], modFileName, 255 );
		char *ModuleName = strtok( modFileName, "\\" );
		char *ModuleTempName;
		char *ModuleLastName;
		do 
		{
			ModuleTempName = strtok( NULL, "\\" );
			if( ModuleTempName == NULL )
				break;
			ModuleName = ModuleTempName;
		} while( ModuleName != NULL );

        if( *modAllowedArray[j] == *ModuleName )
			modAllowedQ++;
        j++;
      }
      i++;
    }
    if( modAllowedQ < modAllowedSize )
	{
      MessageBox( 0, "Unknown module loaded to memory!", "Fatal error", MB_OK );
	  exit( -1 );
	}
  }

  MessageBox( 0, "Nothing evil detected.", "Success?", MB_OK );

  return( EXIT_SUCCESS );
}

Just another idea I had for killing foreign threads 😉

#include <windows.h>
#include <tlhelp32.h>

#define CODEBEGIN	0x00401000
#define CODEEND		0x004019FE

DWORD WINAPI GetThreadStartAddress( HANDLE hThread )
{
    NTSTATUS ntStatus;
    HANDLE hDupHandle;
    DWORD dwStartAddress;
    typedef NTSTATUS ( WINAPI *NQIT )( HANDLE, LONG, PVOID, ULONG, PULONG );
    NQIT NtQueryInformationThread = ( NQIT )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtQueryInformationThread" );

    HANDLE hCurrentProcess = GetCurrentProcess( );

    if( !DuplicateHandle( hCurrentProcess, hThread, hCurrentProcess, &hDupHandle, THREAD_QUERY_INFORMATION, FALSE, 0 ) ) {
        return( ERROR_ACCESS_DENIED );
    }

    ntStatus = NtQueryInformationThread( hDupHandle, 9, &dwStartAddress, sizeof( DWORD ), NULL );

    CloseHandle( hDupHandle ); 

    return( dwStartAddress );
}

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
  HANDLE h = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
  if( h != INVALID_HANDLE_VALUE ) {
    THREADENTRY32 te;
    te.dwSize = sizeof( te );
    if( Thread32First( h, &te ) ) {
      do {
       if ( te.dwSize >= FIELD_OFFSET( THREADENTRY32, th32OwnerProcessID ) +
                      sizeof( te.th32OwnerProcessID ) &&
					  GetCurrentProcessId( ) == te.th32OwnerProcessID ) {
			DWORD dwStartAddress;
			HANDLE lclThread = OpenThread( THREAD_GET_CONTEXT, FALSE, te.th32ThreadID );
			dwStartAddress = GetThreadStartAddress( lclThread );
			if( dwStartAddress < CODEBEGIN || dwStartAddress > CODEEND )
			{
				TerminateThread( lclThread, EXIT_SUCCESS );
			} else {
				CONTEXT ctx;
				SuspendThread( lclThread );
				GetThreadContext( lclThread, &ctx );
				if( ( int ) &ctx.Eip < CODEBEGIN || ( int ) &ctx.Eip > CODEEND )
					TerminateThread( lclThread, EXIT_SUCCESS );
				ResumeThread( lclThread );
			}


			CloseHandle( lclThread );
	  }
      te.dwSize = sizeof( te );
    } while( Thread32Next( h, &te ) );
   }
  }
  CloseHandle( h );
 

  MessageBox( 0, "Debugger not found.", "Success?", MB_OK );

  return( EXIT_SUCCESS );
}

Originally published around 2007, the vulnerability pertaining to removing the questiontype field on the “My Account” page has finally been patched. I guess account security isn’t something IJJI cares about all that much.


While this method is very old, I still find it necessary to be known.

GameGuard’s hooks are a 5-byte JMP overwritten at the beginning of most functions. Considering most functions first 5 bytes are “MOV EDI, EDI”, “PUSH EBP”, and “MOV EBP, ESP”, you can write a generic layer for repairing functions:

#include <windows.h>

int kLastFunctionOffset;

int kGetFunctionAddress ( char * kFunction )
{
	DWORD kFunctionAddress;
	HMODULE kHM_Kernel32;

	kHM_Kernel32 = LoadLibrary ( L"kernel32.dll" );
           kFunctionAddress = ( int ) GetProcAddress ( kHM_Kernel32, ( LPCSTR ) kFunction );
	FreeLibrary ( kHM_Kernel32 );

	return( kFunctionAddress + 5 );
}

 BOOL __declspec(naked) WINAPI kCallFunction ( ... )
{
	__asm
	{
		mov edi, edi;
		push ebp;
		mov ebp, esp;
		JMP kLastFunctionOffset;
	};
}

int WINAPI WinMain ( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
{
    kLastFunctionOffset = kGetFunctionAddress ( "LoadLibraryW" );
	kCallFunction ( ( byte * ) L"kernel32.dll" );
    return ( EXIT_SUCCESS );
}

In the above example, we assume “LoadLibraryW” is hooked, and bypass it. The above is pretty self-explanitory, so feel free to port it to your own cheats!


I don’t even know why I start on some of these projects..

<?php
class MSSQL {
 private $link;

 public function Connect( $host, $user, $pass )
 {
   return( $this->$link = mssql_connect( $host, $user, $pass ) );
 }

 public function Disconnect( )
 {
   return( mssql_close( $this->$link ) );
 }


 public function Select( $database )
 {
   return( mssql_select_db( $database, $this->$link ) );
 }
}
?>